Manually add geo point to server logs

How do I add the location of our servers as a geo-point that can be used with Kibana Maps to the logs of that server?

For example:
Let's say a log has agent.name "AgentExample01", then I would match on that, and add lat and lon, so I could see that "AgentExample01" and visualize its logs on a Kibana Map.

I want to be able to visualize our data on a map. Because it is coming from 100+ places in our country. But I don't know how to manually add the location of the servers to the incoming logs.

For example I'd like to be able to see Uptime on a Map. If a server doesn't respond via Heartbeat, then I'd like to see a Red dot on the map.
Or if it has high CPU usage and/or Load, then I'd like to put a yellow dot on the map where that server is.

The correct way to do this would be to add in your servers' beats configuration their location, so they add to each event their proper metadata in the Elastic Common Schema.

It's documented in the heartbeat installation guide and on this guide.

With the geo metadata the Uptime app, part of the Observability solution, will show you a map as described in this blog post.


Another way would be to use the Elastic Maps instead, create a new index with the server locations (for example uploading a GeoJSON file in Kibana Maps), and then create a map that does the Term Join in the browser to count (fo example) the number of measurements in the last X minutes.

Hope it helps.

1 Like

Thanks a lot! Will try this tomorrow. Attaching it to our internal issue.

Made a quick attempt with the Term Join method, but it doesn't seem to work for us: image

Trying the other method tomorrow

Is there an easy way to do this when you manage the Beats with Puppet?

@maltewhiite I manage this through Ansible, using the Add Observer Data as mentioned.

So with each deployment of a beats shippers, the variables are substituted with the actual geo locations from a reference file.

Screen Shot 2021-10-05 at 1.44.59 PM

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.